Damia Soler i Estrela wrote:
>
> I have a lots of entries on the log, that are not ilegal access
> to my machines. The source port are always 80 (http), and the
> destination port are the ip address of the people that are surfing the
> web. That is , the web-server send packets to the browser, and the
> firewall think that the server is opening a connection to a internal
> hosts.
I see a lot of these. Typical cause is a slow link on your side, their
side, or perhaps a slow Web server. To verify this, check your logs to
see if you have matching outbound log entry. In other words, you see
something like this:
Source IP: Internal Client
Source port: >1023
Destination IP: external Web server
Destination Port: 80 (HTTP)
Action: Accept
Source IP: external Web server
Source port: 80
Destination IP: Internal Client
Destination Port: >1023 (same as above)
Action: drop/reject
If you have *both* of the above log entries, its simply a speed issue.
Now, if you review your logs and can not find a matching first entry
(i.e. a client visiting the Web site), this may be a scan. Certain
scanning tools allow you to set a source port of 80 along with RST, FIN,
ACK, etc. flags in order to make a firewall Administrator *think* this
is just a slow connection and nothing to worry about.
So it really comes down to whether you can find that first entry or not.
Cheers,
Chris
--
**************************************
[EMAIL PROTECTED]
* Multiprotocol Network Design & Troubleshooting
http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet
* Mastering Network Security
http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
